Compliance on the forefront: Setting the pace for innovation

2019 State of Compliance Study

The six habits that drive effective compliance program performance

Our 2019 Global Risk, Internal Audit and Compliance Survey of 2,000 executives (half in risk roles) shows that as organizations move through digital transformation, digitally fit compliance programs help leaders make better decisions and take smarter risks, based on their knowledge of existing and changing regulations.

The stakes from digital initiatives are high, in opportunities gained and potentially costly compliance requirements missed. To plan for regulatory shifts in evolving areas like data privacy or responsible AI, a compliance program’s digital fitness must match that of its organization. If not, gaps across the lines of defense will widen, and entry points for risk will grow. Compliance and ethics programs that are digitally enabled and data-driven bring a clearer line of sight into evolving regulations, so leaders can anticipate and plan for risk—and seize opportunities.

We analyzed the digital fitness of compliance functions by looking at five important fitness dimensions: Vision and roadmap, Ways of working, Operations, Services model and Stakeholder engagement.

We’ve identified sixhabits that lead to more digitally fit risk functions. As organizations go through digital transformations, these habits help drive effective compliance program and risk management performance. Lessons from the most digitally fit group, the Dynamics, guide compliance functions towards what they must do to advance.

Six habits fueling smarter risk taking through digital transformation

Go all-in on the organization’s digital plan

Get involved. More than their risk management or internal audit peers, compliance executives must lean into digital initiatives early to provide a perspective on ethical or regulatory considerations that might influence a project’s feasibility and design. The decentralized nature of many compliance programs helps. Embedded compliance resources are likely more aware of their business’ digital innovation. Two-thirds of Dynamics are involved in all digital initiatives.

Articulate the cost of noncompliance. Talk of potentially catastrophic cost often catches management’s ear. Noncompliance costs may start with fines but losses from eroded consumer trust, employee morale and competitive advantage can be substantial. These, in turn, may further erode investor confidence and share prices.

Dynamics build their digital fitness by translating the organization’s digital vision into their own and by managing against an aspirational digital operating model. Dynamics move their own digital plans forward by setting specific desired outcomes for digital investments.

Dynamics move their digital plan forward

Q. Is your compliance function conducting or planning to conduct the following activities related to building and managing a digital roadmap?
Response: Doing now
Base: 56 Dynamics, 43 Actives, 70 Beginners

Habit 2

Upskill and inject new talent to move at the speed of the organization

Cast a wider talent net. A healthcare compliance programme transforming its interactions with patients may, for example, seek talent in tech or retail to learn more about the ethical risks of consumer-facing, technology-enabled initiatives.

Look for skills beyond regulatory expertise. Future compliance capabilities will include bots running sophisticated algorithms through terabytes of data to monitor risk. New hires with both compliance and technology expertise in areas like data, analytics and cyber risk can oversee this human and machine team.

Finding such hybrid skills isn’t easy. Emerging compliance sourcing strategies include center-of-excellence models for cross-functional compliance specialists. Dynamics rely on such centers much more often than their peers.

Find the right fit for emerging technologies

As the pace of regulatory change increases, compliance programs need to move from the reactive to the predictive so their leaders can properly anticipate and plan. Technologies like robotic process automation (RPA) and AI can help them get there.

Roughly 72% of Dynamics use or plan to use robotic process automation within two years; about as many in the least digitally mature group do not plan to use RPA or don’t know how they would. Use of AI follows a similar pattern.

Dynamics are also using technologies to streamline operations and with contain costs, and executives are keen to do so. Though many call the cost of compliance high and its ancillary costs invisible, they note rising compliance costs.

Invest in foundational technologies. New technologies help boost efficiency, agility and speed; they hold the same promise for compliance. Dynamics are investing in compliance-specific technology applications to support monitoring and alerts of legal and regulatory requirements far more often.

Dynamics find the right fit for emerging technologiesMy function:

Q. Which of the following best describes your compliance function's use of each of these technologies?
Response: Doing now
Base: 46 Dynamics, 43 Actives, 83 Beginners

Habit 4

Enable the organization to act on risks in real time

Dynamics are finding fresh ways to flag potential compliance issues and propose plans or responses. Nearly 75% of Dynamics are developing new services such as real-time dashboards for stakeholders.

Find new ways to keep leaders abreast of regulatory and ethical risks. Analysis of social media and unstructured data can help surface anomalies in relationships between entities several nodes away from one’s immediate suppliers, as a signal of unethical or illegal behaviors. Applying analytics to global regulations databases to monitor regulatory change may also uncover relevant regulatory changes based on the organizations’ geographic scope, business model or client types.

Dynamics are investing in foundational technologiesMy function:

Q. Which of the following best describes your compliance function's use of each of these technologies?
Response: Doing now
Base: 56 Dynamics, 43 Actives, 83 Beginners

Habit 5

Actively engage decision makers of key digital initiatives

Dynamics are active on core digital teams, contributing to and shaping digital plans. They also influence strategic executive decisions about digital initiatives, and they use digital tools for reporting far more often than their peers. These actions help compliance stay in lockstep with the business, engage early and deliver a clear picture of strategic risks.

Expand stakeholder relationships. New relationships may be need to be forged with, for example, IT, engineering and product development teams involved in digital initiatives.

Dynamics create new methods and servicesMy function:

Q. Is your compliance function conducting or planning to conduct the following service-related activities based on the availability of digital technologies?
Response: Doing now
Base: 56 Dynamics, 43 Actives, 83 Beginners

Habit 6

Collaborate and align to provide a consolidated view of risks

Falling cost curves, advancing technology capabilities and quality data make fusing more risk activities affordable, feasible and powerful. Our study shows that working together and sharing investment across risk functions significantly contributes to their digital fitness.

Dynamics distance themselves most in their use of one set of risk metrics. They are also more likely to jointly use governance, risk and compliance (GRC) tools for a consolidated view of risks; they recruit, train and upskill with their risk management and internal audit peers.

Commonly shared data can help speed risk identification, monitoring and testing. In this regard, a single data lake with structured and unstructured data can free up risk functions to, for example, set up continuous monitoring.

The embedded and structured nature of compliance programs positions their functions to lead such integration efforts, efforts, providing faster, more accurate and more complete insights and alerts.

Setting the pace for innovation

Compliance and ethics programs are at a critical juncture. They must identify regulatory and compliance risk early in digital initiatives so their organizations can rapidly respond. That requires programs to offer new services and use new and existing data sources in fundamentally different ways. Now is the time for compliance to operate in a radically different way: one with a digital core.